Hi all, About CVE-2024-24780[1][2], I think it may not be a problem in IoTDB.
The permission to create UDFs is a high-level privilege in IoTDB, and by default, only the root user has it in IoTDB. Therefore, we believe that users with this privilege should be responsible for the security of the cluster. Moreover: 1. Even if we disable the function of loading JAR packages from remote URIs, people with the corresponding permissions can still copy risky JAR packages to the local disk of the server where the cluster is located and load them. 2. Even if we add a whitelist configuration, people who can log in to the server where the cluster is located can also modify the whitelist configuration items, rendering it ineffective. Therefore, I believe that maintaining the status quo will not pose a security risk. What do you think? [1] https://cveprocess.apache.org/cve5/CVE-2024-24780 [2] https://lists.apache.org/thread/8logyynghs3s0qsp9lq7tbtyv6llmpvp Best regards, ----------------------------- Yuan Tian
